Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform
CVE-2026-27671

9.8CRITICAL

Key Information:

Vendor: SAP
Status: SAP Netweaver And Abap Platform
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-27671?

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.

Affected Version(s)

SAP NetWeaver and ABAP Platform KRNL64NUC 7.22

SAP NetWeaver and ABAP Platform 7.22EXT

SAP NetWeaver and ABAP Platform KRNL64UC 7.22

References

https://me.sap.com/notes/3717897

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27671 Data

JSON